One of the more curious episodes in yesterday’s #cashgordon debacle came by way of a tweet by “Jimmy Sparkle”, one of the techies who’s playing with the Tory’s new webtoy helped to break it.

Jimmy is a web developer and cheekily took advantage of the non-existent security on the Cash Gordon website’s twitter feed to tweet a segment of Javascript that, for a very brief period of time, redirected visitors to the Tory’s site to his own personal site. Sparkle Interactive.

Compared to some of the other redirection scripts posted to the site before the Tories took it down, which included a rickroll and the infamous Goatse (and if you don’t know what Goatse is, don’t search for it at work – you’ll get fired) Jimmy’s piece of scripting was one of the least contentious and inflammatory things tweeted to the site all day. Nevertheless, within a couple of hours of the site being taken down, Jimmy put up this tweet.

The source of this telephone call was, at first, identified as ‘Laura Cooper’. However, further digging by a few people, including Niall Paterson of the Sky News blog resulted in Jimmy’s nuisance caller being identified as having been Lua, rather than Laura, Cooper, prompting a couple of very interesting admissions from CCHQ.

But even in the cab home, i’m working – Tories confirm tonight that Lua Cooper DID contact @jimmysparkle but is not a member of staff.

Ms Cooper is a “friend” of party worker, her actions were neither authorised nor condoned by CCHQ. She “felt strongly” abt hijacking of site

Well of course she felt strongly about it… after all, the Cash Gordon site was her boyfriend’s new pet project:

Thirty-odd years ago when he was Margaret Thatcher’s correspondence secretary, distinguished columnist Matthew Parris jumped into the Thames to rescue a drowning dog.

Now, one of his successors in Tory leader David Cameron’s office, speechwriter Sam Coates, has been boasting online of similar derring-do after coming across a man intent on suicide by the river near Westminster.

He tells his Facebook friends that he took his jacket off ready to jump in, but without getting wet “got him down – thankfully”.

Cooper’s phone call to Jimmy Sparkle’s employer may not have been authorised by CCHQ – it’s difficult to think that they’re that stupid, even after yesterday – but the other denial on offer here – the claim that she’s merely a ‘friend’ of a party worker, looks increasingly hollow given the apparent identity of the worker in question.

Samuel Coates was, after all, a former deputy editor of Conservative Home and a speech writer for David Cameron before moving to the Tory’s increasingly shambolic new media operation, and it seems a little odd that Cooper would be featured quite so prominently as the official ‘face’ of the Tory’s telephone canvassing operation were she not working for the party, if only in a voluntary capacity.

UPDATE

First of all, it was most remiss of me not to post Samuel Coates’ immediate reaction to Jimmy Sparkle’s claim that his workplace had been contacted by someone claiming to from CCHQ:

I wonder if Sam will come to regret that last question, but just to drive home the point, I’ve reconstructed Niall Paterson’s exchange with Coates from their respective twitter feeds just to show how things actually went (Coates’ tweets are highlighted yellow).

Awww, looks like Lua’s not on Sam’s team – at least not in any official capacity. Unofficially… well that seems to have been a very different matter.

And finally, this is a full text of CCHQ’s statement about the phone call to Jimmy Sparkle’s workplace.

A Party spokesman said:

“This person is not a member of staff and her actions were not authorised by the Party. She is a friend of a party worker and felt strongly about the way this website had been hijacked and took it upon herself to make comments on the issue. She did this without our knowledge and we do not condone her actions.”

So, in CCHQ’s eyes, contacting Jimmy’s workplace with a spurious threat of litigation is just making ‘comments’???

Personally, I saw much more apt description fly past on the twitter feed this morning – ‘canvassing with menaces’.

When asked if he knew a ‘Laura Cooper’ who may have been the source of the call, the man who is boyfriend to a ‘Lua Cooper’ gives a denial that’s technically correct but far from honest*; he even throws the question back in the poor gent’s face, as if he’s the dishonest party:

(*We haven’t heard from Samuel Coates since all of this came to light, but I doubt very much if he’s going to claim that he failed to make the mental connection when asked about a ‘Laura Cooper’ making these calls.)

I presume any suggested action by the Conservatives would be to do with hijacking the site (their property) to advertise Mr Sparkle’s services, i.e. seeking to benefit from others property without their consent, or to put it in simple terms theft.

Whilst redirection to other sites was funny (although risks causing massive offence in some cases – be interesting to see who would be blamed for this), redirection to your own site is clearly self-serving. Hence the reaction.

Oh, and tweeting code to a site to cause a particular reaction would fit the definition of hacking as far as I understand it.

(i) Might these exchanges be a tiny bit economical with the actualite? “neither authorised nor condoned” is all going a bit In The Loop … do they mean they *knew* but did not “authorise”? (Or that it was neither foreseen nor unforeseen).

niallpaterson: Cheers @chrismou. So @samuelcoates, anyone called Laura Cooper at CCHQ?
samuelcoates: @niallpaterson @chrismou nope! Anything like that would have come through our team as it’s our thing – and I can guarantee that it hasn’t.

This is a totally riddiculous story – even by Liberal Conspiracy standards!

First of all you are perfectly within your rights to make legal threats; you make it sound like Lua threatened some act of violence!

Secondly, this Labour stooge DID hack the site. By bypassing its security – even if there was none – and inserting a piece of code (Javascript via Tweet in this case) for malicious intent (the undermining of the site’s purpose, redirection, self promotion) the individual concerned is well within the legal definition of hacking.

David T Breaker: But CCHQ appear to be denying Lua Cooper was in any position to make any legal demands on their behalf. She therefore appears to have been bullying people with baseless legal threats. No-one said anything about violence, but I’m sure Unity would be happy to clear that point up faster than some Tory bloggers I could mention.

Most Tories with half a clue have given up on this line, David. I’ve not seen any evidence whatsoever that this Jimmy guy has any connection with politics of any sort. Searched his entire twitterfeed for Labour, Tory, Conservative, government, Brown and Cameron. Nothing. Also scanned back manually to the beginning of the year. Not a shadow of an even slightly political tweet. His Linked-In profile suggests that he is what he says he is – a web developer from Leeds. By all means, if you’ve got the evidence this was an elaborate sting by Labour and he was the claw, let’s have it.

I think what a lot of Tories fail to understand is that this sort of thing would have happened to *any* site so badly set up by a major organisation. Techie people will gravitate towards, expose and take the piss out of poor coding practice – it’s just a normal response within that culture (the underlying reason being that it ultimately makes for better code and higher standards). If it’s a high profile organisation, so much the better, because techie people enjoy cocking a snook at authority as much as anybody (maybe more).

It’s not surprising technically clueless people within the Tories don’t understand this, but it is a little surprising that the likes of Sam Coates and Will Heaven claim not to understand it. Either they’re lying, or they’re not very good at their jobs.

(Of course, there were certainly plenty of Labour people taking the piss as well. Maybe even a majority, I don’t know, I’ve not added it up. But unless some new info has come to light, you’re onto a loser as far as painting this particular guy as a Labour stooge goes.)

The scripting used to blow apart the Cash Gordon site was more or less the same stuff that I was using 10 years ago to disrupt web forums operated by fascists and other right-wing nutjobs on what was then a major US forum platform.

Somewhere on an old hard drive I still have a screenshot of the raving right-wing homophobe’s forum that I turned into a full page advert for San Francisco Gay Pride under the guise of ‘Pink Ronnie’.

Genuine question to people who are more tech-savvy than me – when the Tories have so much cash to throw at this stuff & presumably are paying for high-quality advice too, why do they keep getting it so badly wrong?

For what its worth, I was in the room when the phone call came in from “Tory HQ” (for now I’m assuming it was).

It was a little more detailed than just threatening to sue for “hacking” – I’m told she also mentioned redirecting to porn and other “sick websites”.

Amusingly, all Jimmy did was tweet a redirect to his own portfolio. No “sick websites” as she stated, which to me suggests she just picked the first name she saw, did a bit of research into his name and tried to blame him for every bit of code tweeted onto the site.

More amusing is reading him being described as a political stooge. Jimmy has no political affiliation to anyone, as far as I know. Although it does make me chuckle that now even Tory supporters have fallen into the habit accusing every person not in full support of them as being one of those pesky Labour activists. Has someone been to the Nadine Dorries school of political debate?

Genuine question to people who are more tech-savvy than me – when the Tories have so much cash to throw at this stuff & presumably are paying for high-quality advice too, why do they keep getting it so badly wrong?

Good question. I think it’s partly because politics is still somewhat amateur-hour, and this case is a great example (right down to the girlfriend allegedly making threatening phone calls). For some reason, the Tories – and others – are selecting suppliers partly based on political affiliation rather than simple quality/cost-effectiveness. A lot of political websites seem to be of poor quality because they’re built by political believers rather than people who really know their shit, tech-wise.

In this case, I’m not sure who was responsible for the actual technical lapse that left the site open to exploitation (I cannot emphasise strongly enough that this error was of an elementary nature and would have been trivial to fix; it was actually harder for them to get it wrong than get it right). I’ve read that it was an American company who originally supplied sites to the Republicans, and that they were aware of the issues with their own product but hadn’t got around to correcting them. The Tories presumably overlooked these problems because they were keener on working with ‘friendly’ techies than high-quality ones. One might speculate that web techies tend to be of the ‘urban intellectual’ kind who are more disposed to vote Lib Dem or Labour than Tory, and therefore the pool of friendly techies the Tories can call on is limited, further degrading the Tories’ bargaining power, leading them to get very poor value for their money.

The irony is that true professional techies (like professional doctors, builders or graphic artists) care more about doing a good job than they care about the political affiliation of the people paying them to do it. Someone who is competing on quality alone and doesn’t have a partisan affiliation in common with their customer will actually feel greater pressure to do a good job, precisely because it’s a lot easier for them to lose the customer if they screw up. I suspect that the Tories will carry on using their suppliers even after this debacle because they’re on the ‘same side’, irrespective of whether this makes sense from a quality perspective.

Ah, “hacking” not defined as posting a piece of javascript (of the kind only a true techie would know) to interfere with people’s access to somebody else’s site, but it is apparently defined as dialing 1234 into a celebrity’s answering machine and because the person’s boss now works for the Tory party having been sacked from that job it is therefore completely and utterly appalling and David Cameron should sack him (again) and nobody should vote Tory despite all other mainstream parties having press officers that are arguably worse. Quite liberal with your definitions, there…

Tom FD, why don’t the Tories, either “officially” or not, take it to court then? Issuing threats and attempting to disrupt an employee/employer relationship with allegations is pretty irresponsible if you’re not going to test the point. I’d imagine JimmySparkle has a libel case against Lua Cooper if he wants one.

The scripting used to blow apart the Cash Gordon site was more or less the same stuff that I was using 10 years ago to disrupt web forums operated by fascists and other right-wing nutjobs on what was then a major US forum platform.

Somewhere on an old hard drive I still have a screenshot of the raving right-wing homophobe’s forum that I turned into a full page advert for San Francisco Gay Pride under the guise of ‘Pink Ronnie’.

Happy days, indeed.

Indeed. I have some pretty similar memories.

That said, and I hate to be a killjoy, but… I’m not actually sure that the actions against the Cash Gordon site are quite as justified as actions against outright fascists. Polluting the #cashgordon twitter stream with anti-Tory messages was obviously perfectly legitimate free speech, and the very first person to put HTML in the tweets has a viable defence of “I was just seeing what would happen”, but everyone else who piled in afterwards knew full well that they would end up causing visitors to the site to be redirected elsewhere. Some of the redirects were very funny to people like us because, frankly, we’ve both been to the kind of LAN parties where a goatse on your desktop is the least of your worries and have frequented the kind of internet forums where that kind of stuff is just what you come to expect.

But to do it to a political campaign site, when “civilians” might be visiting it (from work, where looking at geriatric homosexual threesomes may be frowned upon), is a bit different. Sure, we used to do this kind of stuff 10 years ago, but we were (I’m guessing, on your part) teenagers back then. This does raise questions about whether these kinds of tactics are legitimate in what’s meant to be mainstream debate between legal and ethically acceptable political parties. I daresday that LibCon isn’t always kept up to the latest secure release of WordPress, but you wouldn’t be amused if someone used the latest WP exploits to plaster goatse all over the site. The only difference between the two is that the Tories made it ridiculously easy to interfere with their site, but I’m not sure that there’s any different in the intent or motive of the people doing it.

Puh-lease. We call ’em “script kiddies” (or “skiddies”) for a reason, and it’s not out of respect for their technical prowess. This kind of shit is trivial to just about anybody who didn’t just fall out of a tree. Cross-site scripting (XSS in the lingo) vulnerabilities are in much the same league as SQL injection attacks – relics of a bygone age, which absolutely nobody should fall victim to. It’s like leaving a note pinned to your front door reading “the key is under the mat, but it’s not locked anyway”. They should count themselves lucky that it was forcibly brought to their attention before someone did something really nasty with it.

“Genuine question to people who are more tech-savvy than me – when the Tories have so much cash to throw at this stuff & presumably are paying for high-quality advice too, why do they keep getting it so badly wrong?”

The site looks like a rush job knocked together quickly in an attempt to capitalise on the Whelan / Unite / Labour story while it was still in the headlines.

Technically the layout is poorly done, the code doesn’t validate and it doesn’t even attempt to meet accessibility standards. Not stripping tags from the tweets was a huge and very basic mistake but the rest of it’s a bit amateurish.

The idea behind the site is also a bit weird and vaguely stalkerish. They’re giving people brownie points for mildly harrassing a named person, Charlie Whelan. The Tories don’t seem to have considered the risks involved, the whole concept is an open invitation to get trolled.

I’m surprised they put the site back up, I think it’s a safe bet we’ll hear more about this one.

Unfortunately, as Dunc points out, vulnerabilities that are this easy to exploit inevitably draw in the skiddies, which is the point at which you get Goatse’d.

It doesn’t take a genius to cut and paste a redirect script and amend the link, especially when its posted on something as public as Twitter, which is where the real embarrassment in all this lies.

Back in the day, the best take-downs were always the one’s undertaken with a bit of finesse and subtlety.

The forum provider I mentioned earlier was, at one point, bought out by a really dodgy operator who was serving an SEC ban on certain types of share trades because of his history of involvement in pyramid selling. When we got wind of this, three of us ran a tag-team strike and successfully managed to post the guy’s entire dodgy business history on the company’s official support forum under the noses of the company’s staff.

I think that Dunc @22 is overly critical of the site’s owners and authors. 99% of internet users, quite reasonably, have no idea what SQL injection or XSS attacks mean. They shouldn’t need to do so; computer professionals should have got it right years ago; computer professionals should stop blaming users.

Just because I go down to the pub leaving a downstairs window open does not mean that I wish to be burgled. However I would be pissed off if I had paid somebody to ensure that all of my windows were closed when I left the house who did not do their job. Similarly, I’d be pissed off if professional authors created a site for me that included a common vulnerability.

From what I have read, this story compels me to wish a plague on both their houses.

99% of internet users, quite reasonably, have no idea what SQL injection or XSS attacks mean. They shouldn’t need to do so; computer professionals should have got it right years ago; computer professionals should stop blaming users.

We did get it right years ago. That was the whole point of my comment. Anybody who produces code which is vulnerable to these sorts of attacks is an idiot. Blaming it on “computer professionals” is like blaming “plumbers and electricians” when the ham-fisted moron you’ve hired wires your taps to the mains electricity supply.

Code injection is “unauthorised modification of computer material” as defined in section 3 of the Computer Misuse Act 1990.

IANAL, but I’m not sure about this. The Act specifies unauthorised modification, but in this case the modification in question has arguably been specifically invited. The whole point of the idea is to incorporate 3rd party content. In this case, certain 3rd parties have provided undesired content, but it’s not at all clear that such provision was unauthorised. If you invite people to write their own content into your website, you have to have either technical measures or provisions in your Terms of Use which control what sorts of content you are willing to accept. You can no more invoke the CMA here than you can when trolls show up at your blog, because you invited participation.

@27 Dunc: “We did get it right years ago.” If we go back ten or fifteen years, we can see three good examples of how developers perceived how the web would work:
* Java from Sun: applications run in a sandbox and, vulnerabilities excepted, applications do not have access to the host system unless explicitly permitted.
* IE/ActiveX from Microsoft: ActiveX controls are randomly downloaded to the host system on which users are encouraged to run with administrator privileges.
* Javascript from Netscape: applets were intended to run on the page from which they were sourced, but JS was never thoroughly considered before implementation. I think that I am being generous to Netscape.

We didn’t get it right. If somebody uses an old toolkit to create a site, it is going to have the old vulnerabilities. We can’t force people to upgrade their creation software, but there are other solutions. ISP hosting software could check for vulnerabilities and browsers, as part of the rendering process, could announce “don’t trust this site”.

Incidentally, all new plumbing systems are connected to ground earth via the building’s mains electricity supply.

Dunc: “The Act specifies unauthorised modification, but in this case the modification in question has arguably been specifically invited.” Like many places, LC uses the expression “Post a comment using the form below” to invite contributions. So it really comes down to the definition of a comment. Most people would regard a comment to be supplementary to the original content, not a substitute.

@29: But, Dunc, it takes years to recover from the poor decisions on which the internet (the consumer end) was founded. We are still far from it; web developers who assumed that IE 6 was the true platform have even doomed corporate IT to a few more years of misery. True professionals know that many international standards or corporate standards are flawed and address those problems. Consumers should not need to know whether those problems exist or to suffer from them.

We are still far from it; web developers who assumed that IE 6 was the true platform have even doomed corporate IT to a few more years of misery.

Wrong way round in my view mate – corporate IT managers who refused to upgrade have doomed web developers to more years of misery. The bastards. I’m still having to support them.

True professionals know that many international standards or corporate standards are flawed and address those problems.

True, but XSS is sod all to do with standards, it’s to do with the fundamentally flawed idea of accepting content from @world+dog and assuming that it’s trustworthy. That’s not a standards problem, that a “Javascript weenies pretending to be real programmers” problem. There’s never been a standard that says you’re not allowed to HTML encode or tag-strip user-provided content, it’s just that some lazy idiots don’t bother with the obvious safeguards.

@31 Dunc: “There’s never been a standard that says you’re not allowed to HTML encode or tag-strip user-provided content, it’s just that some lazy idiots don’t bother with the obvious safeguards.”

By definition, anyone who creates a website is not lazy. It takes more effort to register a host with an ISP and the rest, than to log into blogger.com. And when they make the effort, professionals should make it as easy as possible for them to deliver safe and secure content.

@28 I proposed the idea that poor understanding of security has set us up for the malware crapfest that we have endured. That crapfest was provided by “professionals”.